fix: soil worker deployment needs arq command (was running uvicorn API) #89
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push | |
| on: | |
| push: | |
| branches: [master] | |
| tags: ["v*"] | |
| paths-ignore: | |
| - "*.md" | |
| - "docs/**" | |
| pull_request: | |
| branches: [master] | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| API_IMAGE: ghcr.io/nkz-os/nkz-module-soil/soil-api | |
| WORKER_IMAGE: ghcr.io/nkz-os/nkz-module-soil/soil-worker | |
| MIGRATE_IMAGE: ghcr.io/nkz-os/nkz-module-soil/migrate | |
| jobs: | |
| # ========================================================================== | |
| # Test — backend unit tests + lint | |
| # ========================================================================== | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| cache: "pip" | |
| cache-dependency-path: pyproject.toml | |
| - name: Install system dependencies | |
| run: sudo apt-get update -qq && sudo apt-get install -y -qq libgeos-dev libproj-dev | |
| - name: Install nkz-platform-sdk from source | |
| run: | | |
| git clone --depth 1 https://github.com/nkz-os/nkz.git /tmp/nkz-platform-sdk-src | |
| pip install -e /tmp/nkz-platform-sdk-src/services/nkz-platform-sdk | |
| - name: Install backend dependencies | |
| run: pip install -e ".[dev,geo]" | |
| - name: Lint (ruff) | |
| run: ruff check backend/src/nkz_soil/ tests/ | |
| - name: Run tests | |
| # Full suite — the license suppression-boundary, provider and worker | |
| # suites live outside tests/unit/ and MUST gate (a leak of | |
| # non-redistributable JRC fractions is a legal exposure). | |
| run: PYTHONPATH=backend/src pytest tests/ -v --tb=short | |
| # ========================================================================== | |
| # Build frontend MF2 bundle | |
| # ========================================================================== | |
| build-frontend: | |
| name: Build Frontend MF2 | |
| runs-on: ubuntu-latest | |
| needs: test | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@v4 | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Type check | |
| run: pnpm run typecheck | |
| - name: Frontend unit tests | |
| run: pnpm run test | |
| - name: Build MF2 bundle | |
| run: pnpm run build:module | |
| env: | |
| NKZ_VERSION_HASH: ${{ github.sha }} | |
| - name: Upload bundle artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: soil-module-bundle | |
| path: dist/ | |
| retention-days: 30 | |
| - name: Deploy to MinIO (versioned) | |
| if: github.event_name != 'pull_request' | |
| env: | |
| MINIO_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }} | |
| MINIO_ACCESS_KEY: ${{ secrets.MINIO_ACCESS_KEY }} | |
| MINIO_SECRET_KEY: ${{ secrets.MINIO_SECRET_KEY }} | |
| run: | | |
| if [ -z "${MINIO_ENDPOINT:-}" ] || [ -z "${MINIO_ACCESS_KEY:-}" ] || [ -z "${MINIO_SECRET_KEY:-}" ]; then | |
| echo "::warning::MinIO secrets missing (MINIO_ENDPOINT / MINIO_ACCESS_KEY / MINIO_SECRET_KEY). Skipping deploy." | |
| exit 0 | |
| fi | |
| SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-8) | |
| wget -q https://dl.min.io/client/mc/release/linux-amd64/mc | |
| chmod +x mc | |
| ./mc alias set myminio "$MINIO_ENDPOINT" "$MINIO_ACCESS_KEY" "$MINIO_SECRET_KEY" | |
| ./mc cp -r dist/ "myminio/nekazari-frontend/modules/soil/${SHORT_SHA}/" | |
| ./mc anonymous set public "myminio/nekazari-frontend/modules/soil/${SHORT_SHA}/" | |
| - name: Activate version | |
| if: github.event_name != 'pull_request' | |
| env: | |
| MINIO_ENDPOINT: ${{ secrets.MINIO_ENDPOINT }} | |
| MINIO_ACCESS_KEY: ${{ secrets.MINIO_ACCESS_KEY }} | |
| MINIO_SECRET_KEY: ${{ secrets.MINIO_SECRET_KEY }} | |
| run: | | |
| SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-8) | |
| if [ -z "${MINIO_ENDPOINT:-}" ] || [ -z "${MINIO_ACCESS_KEY:-}" ] || [ -z "${MINIO_SECRET_KEY:-}" ]; then | |
| echo "::warning::MinIO secrets missing. Skipping activation." | |
| exit 0 | |
| fi | |
| curl -s -X POST "${{ secrets.API_URL }}/api/modules/soil/deploy" \ | |
| -H "Content-Type: application/json" \ | |
| -H "X-Internal-Token: ${{ secrets.NKZ_INTERNAL_TOKEN }}" \ | |
| -d "{\"version\": \"${SHORT_SHA}\"}" \ | |
| || echo "WARNING: deploy activation failed (API may not support /deploy yet)" | |
| # ========================================================================== | |
| # Build and push API Docker image | |
| # ========================================================================== | |
| build-api: | |
| name: Build API Image | |
| runs-on: ubuntu-latest | |
| needs: test | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.API_IMAGE }} | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=sha,prefix= | |
| - name: Build and push API image | |
| id: build-api | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./backend/Dockerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Record API image digest | |
| run: | | |
| echo "soil-api digest: ${{ steps.build-api.outputs.digest }}" | |
| echo "Update k8s/deployment-api.yaml with:" | |
| echo " image: ${{ env.API_IMAGE }}@${{ steps.build-api.outputs.digest }}" | |
| # ========================================================================== | |
| # Build and push Worker Docker image | |
| # ========================================================================== | |
| build-worker: | |
| name: Build Worker Image | |
| runs-on: ubuntu-latest | |
| needs: test | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.WORKER_IMAGE }} | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=sha,prefix= | |
| - name: Build and push Worker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./backend/Dockerfile.worker | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # ========================================================================== | |
| # Build and push Migrate Docker image | |
| # ========================================================================== | |
| build-migrate: | |
| name: Build Migrate Image | |
| runs-on: ubuntu-latest | |
| needs: test | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.MIGRATE_IMAGE }} | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=sha,prefix= | |
| - name: Build and push Migrate image | |
| id: build-migrate | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./backend/Dockerfile.migrate | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Record Migrate image digest | |
| run: | | |
| echo "migrate digest: ${{ steps.build-migrate.outputs.digest }}" | |
| echo "Update k8s/job-soil-migrate.yaml with:" | |
| echo " image: ${{ env.MIGRATE_IMAGE }}@${{ steps.build-migrate.outputs.digest }}" | |
| # ========================================================================== | |
| # Summary | |
| # ========================================================================== | |
| summary: | |
| needs: [build-frontend, build-api, build-worker, build-migrate] | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: Summary | |
| run: | | |
| echo "## Build Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "- API: \`${{ env.API_IMAGE }}:latest\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- Worker: \`${{ env.WORKER_IMAGE }}:latest\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- Migrate: \`${{ env.MIGRATE_IMAGE }}:latest\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- MF2 bundle: uploaded as artifact and deployed to MinIO" >> $GITHUB_STEP_SUMMARY | |
| echo "- SHA: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY | |
| # Publish MF2 remote via OIDC (push to main only) | |
| publish-module: | |
| name: Publish Module | |
| needs: test | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/master' | |
| permissions: | |
| id-token: write | |
| contents: read | |
| uses: nkz-os/nkz/.github/workflows/_publish-module.yml@main | |
| with: | |
| module_id: soil | |
| secrets: | |
| INTERNAL_SERVICE_SECRET: ${{ secrets.INTERNAL_SERVICE_SECRET }} |